From b4e699860a0e358717d6066bef44f64288f566b6 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Mon, 24 Jun 2024 11:08:42 -0400 Subject: [PATCH] cleanup the environment before submitting jobs (#3628) * sanitize the job environment * sanitize bc jobs * climate_control not only dev/test gem now * should not have added pry --- apps/dashboard/Gemfile | 2 +- .../app/models/batch_connect/session.rb | 5 ++- .../app/models/concerns/sanitized_env.rb | 36 +++++++++++++++++++ .../app/models/concerns/sanitized_env.rb | 36 +++++++++++++++++++ .../myjobs/app/models/resource_mgr_adapter.rb | 7 ++-- 5 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 apps/dashboard/app/models/concerns/sanitized_env.rb create mode 100644 apps/myjobs/app/models/concerns/sanitized_env.rb diff --git a/apps/dashboard/Gemfile b/apps/dashboard/Gemfile index 3d4dcb797e..a71ab39cdd 100644 --- a/apps/dashboard/Gemfile +++ b/apps/dashboard/Gemfile @@ -21,7 +21,6 @@ gem 'sdoc', group: :doc, require: false group :development, :test do # Call 'byebug' anywhere in the code to stop execution and get a debugger console gem 'byebug' - gem 'climate_control', '~> 0.2' gem 'timecop', '~> 0.9' end @@ -50,6 +49,7 @@ gem 'dotiw' gem 'local_time', '~> 1.0.3' gem 'zip_kit', '~> 6.2' gem 'rss', '~> 0.2' +gem 'climate_control', '~> 0.2' gem 'jsbundling-rails', '~> 1.0' gem 'cssbundling-rails', '~> 1.1' diff --git a/apps/dashboard/app/models/batch_connect/session.rb b/apps/dashboard/app/models/batch_connect/session.rb index 311e7eae7a..fefa6dd108 100644 --- a/apps/dashboard/app/models/batch_connect/session.rb +++ b/apps/dashboard/app/models/batch_connect/session.rb @@ -4,6 +4,7 @@ module BatchConnect class Session include ActiveModel::Model include ActiveModel::Serializers::JSON + include SanitizedEnv # This class describes the object that is bound to the ERB template file # when it is rendered @@ -309,7 +310,9 @@ def submit(opts = {}) job_script_options_file.write(JSON.pretty_generate(options)) # Submit job script - self.job_id = adapter.submit script(content: content, options: options) + ClimateControl.modify(sanitized_env) do + self.job_id = adapter.submit script(content: content, options: options) + end db_file.write(to_json, perm: 0o0600) true rescue => e # rescue from all standard exceptions (app never crashes) diff --git a/apps/dashboard/app/models/concerns/sanitized_env.rb b/apps/dashboard/app/models/concerns/sanitized_env.rb new file mode 100644 index 0000000000..ffa1e3bcbf --- /dev/null +++ b/apps/dashboard/app/models/concerns/sanitized_env.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +# Sanitize an environment by returning a new Hash that can +# be used with ClimateControl to submit jobs with that new +# environment. +module SanitizedEnv + PREFIXES = [ + 'SECRET', 'PASSENGER', 'BUNDLE', + 'RACK', 'HTTP', 'NODE', 'RAILS', 'RUBY', + 'GEM', 'NGINX' + ].freeze + + def sanitized_env + # these are all one offs that we should clear so they don't conflict + # with the job. + { + 'LD_LIBRARY_PATH' => nil, + 'MANPATH' => nil, + 'PYTHONUNBUFFERED' => nil, + 'X_SCLS' => nil, + 'WSGI_ENV' => nil, + 'ALLOWED_HOSTS' => nil, + 'IN_PASSENGER' => nil, + 'SERVER_SOFTWARE' => nil, + 'PKG_CONFIG_PATH' => nil + }.merge(sanitize_env(Regexp.new(PREFIXES.join('|')))) + end + + def sanitize_env(prefix) + ENV.select do |key, _value| + key.start_with?(prefix) + end.map do |key, _value| + [key, nil] + end.to_h + end +end diff --git a/apps/myjobs/app/models/concerns/sanitized_env.rb b/apps/myjobs/app/models/concerns/sanitized_env.rb new file mode 100644 index 0000000000..ffa1e3bcbf --- /dev/null +++ b/apps/myjobs/app/models/concerns/sanitized_env.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +# Sanitize an environment by returning a new Hash that can +# be used with ClimateControl to submit jobs with that new +# environment. +module SanitizedEnv + PREFIXES = [ + 'SECRET', 'PASSENGER', 'BUNDLE', + 'RACK', 'HTTP', 'NODE', 'RAILS', 'RUBY', + 'GEM', 'NGINX' + ].freeze + + def sanitized_env + # these are all one offs that we should clear so they don't conflict + # with the job. + { + 'LD_LIBRARY_PATH' => nil, + 'MANPATH' => nil, + 'PYTHONUNBUFFERED' => nil, + 'X_SCLS' => nil, + 'WSGI_ENV' => nil, + 'ALLOWED_HOSTS' => nil, + 'IN_PASSENGER' => nil, + 'SERVER_SOFTWARE' => nil, + 'PKG_CONFIG_PATH' => nil + }.merge(sanitize_env(Regexp.new(PREFIXES.join('|')))) + end + + def sanitize_env(prefix) + ENV.select do |key, _value| + key.start_with?(prefix) + end.map do |key, _value| + [key, nil] + end.to_h + end +end diff --git a/apps/myjobs/app/models/resource_mgr_adapter.rb b/apps/myjobs/app/models/resource_mgr_adapter.rb index 0320ce67a7..2a9e8e784d 100644 --- a/apps/myjobs/app/models/resource_mgr_adapter.rb +++ b/apps/myjobs/app/models/resource_mgr_adapter.rb @@ -4,6 +4,8 @@ # OodJob errors will be caught and re-raised as PBS::Error objects class ResourceMgrAdapter + include SanitizedEnv + attr_reader :workflow def initialize(workflow) @@ -34,8 +36,9 @@ def qsub(script_path, host: nil, depends_on: {}, account_string: nil) job_array_request: workflow.job_array_request.presence, copy_environment: workflow.copy_environment.eql?("1") ? true : false ) - adapter(cluster).submit( script, **depends_on) - + ClimateControl.modify(sanitized_env) do + adapter(cluster).submit(script, **depends_on) + end rescue OodCore::JobAdapterError => e raise PBS::Error, e.message end